####################################################################### Luigi Auriemma Application: PcVue http://www.arcinfo.com/index.php?option=com_content&id=2&Itemid=151 Versions: PcVue <= 10.0 SVUIGrd.ocx <= 1.5.1.0 aipgctl.ocx <= 1.07.3702 Platforms: Windows Bugs: A] code execution in SVUIGrd.ocx Save/LoadObject B] write4 in SVUIGrd.ocx GetExtendedColor C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject D] array overflow in aipgctl.ocx DeletePage Exploitation: remote Date: 27 Sep 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's homepage: "PcVue is a new generation of SCADA software. It is characterised by modern ergonomics and by tools based on object technology to reduce and optimise applications development." ####################################################################### ======= 2) Bugs ======= ------------------------------------------------ A] code execution in SVUIGrd.ocx Save/LoadObject ------------------------------------------------ The aStream number of SaveObject and LoadObject methods available in SVUIGrd.ocx (2BBD45A5-28AE-11D1-ACAC-0800170967D9) is used directly as function pointer: 02695b9d 8b00 mov eax,dword ptr [eax] ; controlled 02695b9f ff5004 call dword ptr [eax+4] ; execution ----------------------------------------- B] write4 in SVUIGrd.ocx GetExtendedColor ----------------------------------------- Through the GetExtendedColor method of SVUIGrd.ocx it's possible to write a dword in an arbitrary memory location: 02198e36 8902 mov dword ptr [edx],eax ; controlled --------------------------------------------------------------------- C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject --------------------------------------------------------------------- The SaveObject allow to specify the name of the file to save while LoadObject the one to load. I have not performed additional research so for the moment the only thing I have seen is the possibility of corrupting the files in the system via directory traversal attacks. I suspect that it's probable the possibility of writing custom content but it has not been proved or verified. ------------------------------------------- D] array overflow in aipgctl.ocx DeletePage ------------------------------------------- Array overflow in the DeletePage method of the ActiveX component aipgctl.ocx (083B40D3-CCBA-11D2-AFE0-00C04F7993D6): 10013852 8b0cb8 mov ecx,dword ptr [eax+edi*4] 10013855 85c9 test ecx,ecx 10013857 7407 je aipgctl+0x13860 (10013860) 10013859 8b11 mov edx,dword ptr [ecx] 1001385b 6a01 push 1 1001385d ff5204 call dword ptr [edx+4] ; execution ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/pcvue_1.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################